00. Table of Contents
Article directory
01. Overview of iptables
In early Linux systems, the iptables firewall management service was used by default to configure the firewall. Although the new firewalld firewall management service has been in use for many years, a large number of enterprises continue to use iptables in production environments for various reasons. iptables still has tenacious vitality in the current production environment. The configuration ideas of each firewall management tool are consistent, and it also has reference significance when learning other firewall management tools after mastering iptables.
02. Strategy and rule chain
The firewall will read the configured policy rules in order from top to bottom. Once a match is found, it will immediately end the matching work and perform the behavior defined in the match (ie, allow or block). If there is no match after reading all policy rules, the default policy is executed. Generally speaking, there are two types of firewall policy rule settings: "pass" (ie, allow) and "block" (ie, block). When the default policy of the firewall is deny (block), you must set the allow rule (pass), otherwise no one can get in; if the default policy of the firewall is allow, you must set the deny rule, otherwise no one can get in, and the firewall cannot It loses its preventive effect.
The iptables service calls policy entries used to process or filter traffic as rules. Multiple rules can form a rule chain, and the rule chain is classified according to the location of data packet processing, as follows:
- Process packets before routing (PREROUTING);
- Handle incoming packets (INPUT);
- Process outgoing data packets (OUTPUT);
- Process forwarded packets (FORWARD);
- Processing of packets after routing (POSTROUTING).
Generally speaking, the traffic sent from the internal network to the external network is generally controllable and benign, so the most commonly used rule chain is the INPUT rule chain, which can increase the difficulty for hackers to invade the internal network from the external network.
For example, in the community where you live, the property management company has two regulations: small traders and vendors are prohibited from entering the community; all types of vehicles must be registered when entering the community. Obviously, these two regulations should be applied to the main entrance of the community (where traffic must pass), not to the security doors of each household. Depending on the matching order of the previously mentioned firewall policies, several scenarios may exist. For example, if the visitor is a small businessman or hawker, he or she will be turned away directly by the security of the property management company, and there will be no need to register the vehicle. If a visitor enters the main entrance of the community in a car, the first rule of "no vendors and vendors from entering the community" is not matched, so the second policy is matched in sequence, that is, the vehicle needs to be registered. If a community resident wants to enter the main entrance, neither of these two regulations will be matched, so the default release policy will be implemented.
However, policy rules alone cannot guarantee the security of the community. Security guards should also know what actions to take to deal with these matching traffic, such as "allow", "deny", "register" and "ignore it". These actions correspond to the terminology of the iptables service: ACCEPT (allowing traffic to pass), REJECT (rejecting traffic to pass), LOG (recording log information), and DROP (rejecting traffic to pass). "Allow traffic to pass" and "record log information" are both easier to understand. What needs to be explained here is the difference between REJECT and DROP. As far as DROP is concerned, it directly discards the traffic and does not respond; REJECT will reply with a "information has been received but was thrown away" message after rejecting the traffic, so that the traffic sender can clearly see that the data has been Rejected response message.
Here is an example to help readers understand the difference between these two rejection actions more intuitively. For example, one day you are watching TV at home, and suddenly you hear someone knocking on the door. Through the peephole of the security door, you see that it is someone selling goods, and you will open the door when you don't need it and reject them (REJECT). But if what you see is that the creditor has brought a dozen of his men to collect debts, not only should you refuse to open the door, but you should also remain silent and pretend that you are not at home (DROP).
When the firewall policy in the Linux system is set to REJECT action, the traffic sender will see the port unreachable response:
[deng@local ~]# ping -c 4 192.168.1.10
PING 192.168.10.10 (192.168.1.10) 56(84) bytes of data.
From 192.168.10.10 icmp_seq=1 Destination Port Unreachable
From 192.168.10.10 icmp_seq=2 Destination Port Unreachable
From 192.168.10.10 icmp_seq=3 Destination Port Unreachable
From 192.168.10.10 icmp_seq=4 Destination Port Unreachable
--- 192.168.10.10 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms
After changing the firewall policy in the Linux system to the DROP action, the traffic sender will see a response timeout reminder. However, the traffic sender cannot determine whether the traffic is rejected or the receiving host is currently offline:
[deng@local ~]# ping -c 4 192.168.10.10
PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
--- 192.168.10.10 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
03. iptables command
iptables is a command line-based firewall policy management tool with a large number of parameters. Fortunately, for daily firewall policy configuration, you only need to master the commonly used parameters and flexibly match them, which is enough to cope with daily work.
According to the definition of the OSI seven-layer model, iptables is a service that works at the second, third, and fourth layers, so it can be matched based on the source address, destination address, transmission protocol, service type and other information of the traffic; once the match is successful, iptables will be based on the policy Actions preset by rules are used to handle this traffic. In addition, remind me again that the matching order of firewall policy rules is from top to bottom, so the more strict and higher priority policy rules should be placed first to avoid errors.
Commonly used parameters and functions in iptables
| parameter | effect |
|---|---|
| -P | Set default policy |
| -F | Clear rule chain |
| -L | View rule chain |
| -A | Add new rules at the end of the rule chain |
| -I whether | Add new rules at the head of the rule chain |
| -D whether | Delete a rule |
| -s | Match the source address IP/MASK, add an exclamation mark "!" to indicate except this IP |
| -d | Match target address |
| -i network card name | Match the data flowing in from this network card |
| -o network card name | Match the data flowing out from this network card |
| -p | Matching protocols such as TCP, UDP, ICMP |
| –dport num | Match target port number |
| –sport num | Match source port number |
04. iptables example
4.1 Add the -L parameter after the iptables command to view the existing firewall rule chain.
deng@local:~/code$ sudo iptables -L
[sudo] deng 的密码:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/code$
4.2 Add the -F parameter after the iptables command to clear the existing firewall rule chain.
deng@local:~/code$ sudo iptables -F
deng@local:~/code$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/code$
4.3 Set the default policy of the INPUT rule chain to deny.
deng@local:~/桌面$ sudo iptables -P INPUT DROP
[sudo] deng 的密码:
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$
There are two ways to set firewall policy rules: "pass" and "block". After setting the INPUT chain to reject by default, you need to write an allow policy into it, otherwise all incoming data packets will be rejected by default.
The default policy rejection action of the rule chain can only be DROP, not REJECT.
4.4 Add policy rules that allow ICMP traffic to enter the INPUT chain
The ping command is often used to check whether the other party's host is online. Adding a policy rule that allows ICMP traffic to enter the INPUT rule chain of the firewall allows this ping command detection behavior by default.
deng@local:~/桌面$ sudo iptables -I INPUT -p icmp -j ACCEPT
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$ ping -c 4 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=29.5 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=16.9 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=34.0 ms
64 bytes from 192.168.1.254: icmp_seq=4 ttl=255 time=18.3 ms
--- 192.168.1.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 16.895/24.681/34.016/7.282 ms
deng@local:~/桌面$
4.5 Delete the policy just added to the INPUT rule chain (allow ICMP traffic), and set the default policy to allow.
Using the -F parameter will clear all existing firewall policies; using the -D parameter can delete a specified policy, so it is more secure and accurate.
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$ sudo iptables -D INPUT 1
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$
deng@local:~/桌面$ sudo iptables -P INPUT ACCEPT
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$
4.6 Set the INPUT rule chain to only allow hosts in the specified network segment to access port 22 of the local machine, and deny traffic from all other hosts.
To match a certain host, you can directly write its IP address; if you need to match a network segment, you need to write it in the form of a subnet mask (such as 192.168.1.0/24).
deng@local:~$ sudo iptables -I INPUT -s 192.168.2.0/24 -p tcp --dport 22 -j ACCEPT
deng@local:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~$
deng@local:~$
deng@local:~$ sudo iptables -A INPUT -p tcp --dport 22 -j REJECT
deng@local:~$
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$
deng@local:~/桌面$ sudo iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
deng@local:~/桌面$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~/桌面$
4.7 Add a policy rule that denies everyone access to the local port 12345 to the INPUT rule chain.
deng@local:~$ sudo iptables -I INPUT -p tcp --dport 12345 -j REJECT
deng@local:~$ sudo iptables -I INPUT -p udp --dport 12345 -j REJECT
deng@local:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT udp -- anywhere anywhere udp dpt:12345 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:12345 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~$
4.8 Add a policy rule that denies the 192.168.1.5 host from accessing the local port 80 (Web service) to the INPUT rule chain.
deng@local:~$ sudo iptables -I INPUT -p tcp -s 192.168.1.5 --dport 80 -j REJECT
deng@local:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.1.5 anywhere tcp dpt:http reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:12345 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:12345 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~$
4.9 Add a policy rule that denies all hosts access to ports 1000 to 1024 of the local machine to the INPUT rule chain.
When adding the firewall policy earlier, the -I parameter was used. By default, it will add the rule to the top position, so the priority is the highest. If you need to add a final "secret" rule in your work, use the -A parameter. The effect of these two parameters is still very different:
deng@local:~$ sudo iptables -A INPUT -p tcp --dport 1000:1024 -j REJECT
deng@local:~$ sudo iptables -A INPUT -p udp --dport 1000:1024 -j REJECT
deng@local:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.1.5 anywhere tcp dpt:http reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:12345 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:12345 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
ACCEPT tcp -- 192.168.2.0/24 anywhere tcp dpt:ssh
REJECT tcp -- anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:1000:1024 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:1000:1024 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
deng@local:~$
4.10 The configured firewall policy takes effect permanently
By default, the firewall rules configured using the iptables command will become invalid the next time the system is restarted. If you want the configured firewall policy to take effect permanently, you must also execute the save command:
deng@local:~$ sudo iptables-save
# Generated by iptables-save v1.8.7 on Sun Sep 24 10:46:55 2023
*filter
:INPUT ACCEPT [1398:218485]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.1.5/32 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 1000:1024 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 1000:1024 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sun Sep 24 10:46:55 2023
deng@local:~$